Identifying and Reverse Engineering Data-Driven Cyber Risk Indicators for Malicious Exfiltration
In 2020, MITRE’s behavioral scientists and cyber engineers identified 13 different data exfiltration techniques used by malicious insiders on a live network. Many techniques were creative and unique, and some techniques were commonly used by the rest of the workforce on an everyday basis for benign and legitimate work. The techniques were identified through in-depth interviews with over 150 employees that completed a task on a corporate network where they either maliciously removed data off the network and sent it to a competitor, or legitimately sent material off the network to a customer. Fifty of those employees had specialized cyber defensive and cyber offensive skills. During the insider threat study, employees permitted us to collect all their cyber sensor data in the weeks before, during, and after they completed the task. MITRE’s team of scientists and engineers is currently conducting a thorough examination of how those exfiltration techniques appeared in the cyber log sensor data, while cross-referencing the qualitative interview data with the cyber sensor log data. The team will then use that combined data to reverse engineer behaviors in the cyber data and use statistical techniques to identify which behaviors from the cyber log data are the most effective indicators of malicious insider threat exfiltration.